Skip to content

Monthly Archives: November 2018

U.S. Lawmaker Says Facebook Cannot Be Trusted to Regulate Itself

No shit Sherlock

Quote

WASHINGTON — Democratic U.S. Representative David Cicilline, expected to become the next chairman of House Judiciary Committee’s antitrust panel, said on Wednesday that Facebook Inc cannot be trusted to regulate itself and Congress should take action.

Cicilline, citing a report in the New York Times on Facebook’s efforts to deal with a series of crises, said on Twitter: “This staggering report makes clear that @Facebook executives will always put their massive profits ahead of the interests of their customers.”

“It is long past time for us to take action,” he said.

Facebook did not immediately respond to a request for comment.

Facebook Chief Executive Mark Zuckerberg said a year ago that the company would put its “community” before profit, and it has doubled its staff focused on safety and security issues since then. Spending also has increased on developing automated tools to catch propaganda and material that violates the company’s posting policies.

….

“We’ve known for some time that @Facebook chose to turn a blind eye to the spread of hate speech and Russian propaganda on its platform,” said Cicilline, who will likely take the reins of the subcommittee on regulatory reform, commercial and antitrust law when the new, Democratic-controlled Congress is seated in January.

“Now we know that once they knew the truth, top @Facebook executives did everything they could to hide it from the public by using a playbook of suppressing opposition and propagating conspiracy theories,” he said.

“Next January, Congress should get to work enacting new laws to hold concentrated economic power to account, address the corrupting influence of corporate money in our democracy, and restore the rights of Americans,” Cicilline said.

B.S. — Facebook can never put “community” before profits because its that community and the rape of their privacy that is the core Facebook business model. Who they kidding?

Delay, Deny and Deflect: How Facebook’s Leaders Fought Through Crisis

A great article worth a full read! Here we have Facebook creating their own Fake News to cover up their disgusting unethical behavior. This is a long and excellent read and highly recommended. It shows clearly facebook’s pattern of covering up its faults with lobbyists, misinformation, and outright lies.

Note to advertises: Withdraw all advertising on Facebook. Let them die.
Note to Facebook users: Delete your account now

Some brief excerpts…but again, read entire article to see how this disgusting company operates.

Quote

While Mr. Zuckerberg has conducted a public apology tour in the last year, Ms. Sandberg has overseen an aggressive lobbying campaign to combat Facebook’s critics, shift public anger toward rival companies and ward off damaging regulation. Facebook employed a Republican opposition-research firm to discredit activist protesters, in part by linking them to the liberal financier George Soros. It also tapped its business relationships, lobbying a Jewish civil rights group to cast some criticism of the company as anti-Semitic.

Anti-Semitic? Need any other proof of the amoral unethical behavior of Facebook? Disgusting. It is behavior that likes that leads to more anti-semitism. Shame!

In Washington, allies of Facebook, including Senator Chuck Schumer, the Democratic Senate leader, intervened on its behalf. And Ms. Sandberg wooed or cajoled hostile lawmakers, while trying to dispel Facebook’s reputation as a bastion of Bay Area liberalism.

This account of how Mr. Zuckerberg and Ms. Sandberg navigated Facebook’s cascading crises, much of which has not been previously reported, is based on interviews with more than 50 people. They include current and former Facebook executives and other employees, lawmakers and government officials, lobbyists and congressional staff members. Most spoke on the condition of anonymity because they had signed confidentiality agreements, were not authorized to speak to reporters or feared retaliation.

And now let’s see how they use misinformation to combat critics. It is clear that Facebook learned well from their Russian propaganda teachers.

In March, The Times, The Observer of London and The Guardian prepared to publish a joint investigation into how Facebook user data had been appropriated by Cambridge Analytica to profile American voters. A few days before publication, The Times presented Facebook with evidence that copies of improperly acquired Facebook data still existed, despite earlier promises by Cambridge executives and others to delete it.

Mr. Zuckerberg and Ms. Sandberg met with their lieutenants to determine a response. They decided to pre-empt the stories, saying in a statement published late on a Friday night that Facebook had suspended Cambridge Analytica from its platform. The executives figured that getting ahead of the news would soften its blow, according to people in the discussions.

They were wrong. The story drew worldwide outrage, prompting lawsuits and official investigations in Washington, London and Brussels. For days, Mr. Zuckerberg and Ms. Sandberg remained out of sight, mulling how to respond. While the Russia investigation had devolved into an increasingly partisan battle, the Cambridge scandal set off Democrats and Republicans alike. And in Silicon Valley, other tech firms began exploiting the outcry to burnish their own brands.

“We’re not going to traffic in your personal life,” Tim Cook, Apple’s chief executive, said in an MSNBC interview. “Privacy to us is a human right. It’s a civil liberty.” (Mr. Cook’s criticisms infuriated Mr. Zuckerberg, who later ordered his management team to use only Android phones — arguing that the operating system had far more users than Apple’s.)

Facebook scrambled anew. Executives quietly shelved an internal communications campaign, called “We Get It,” meant to assure employees that the company was committed to getting back on track in 2018.

Then Facebook went on the offensive. Mr. Kaplan prevailed on Ms. Sandberg to promote Kevin Martin, a former Federal Communications Commission chairman and fellow Bush administration veteran, to lead the company’s American lobbying efforts. Facebook also expanded its work with Definers.

On a conservative news site called the NTK Network, dozens of articles blasted Google and Apple for unsavory business practices. One story called Mr. Cook hypocritical for chiding Facebook over privacy, noting that Apple also collects reams of data from users. Another played down the impact of the Russians’ use of Facebook.

The rash of news coverage was no accident: NTK is an affiliate of Definers, sharing offices and staff with the public relations firm in Arlington, Va. Many NTK Network stories are written by staff members at Definers or America Rising, the company’s political opposition-research arm, to attack their clients’ enemies. While the NTK Network does not have a large audience of its own, its content is frequently picked up by popular conservative outlets, including Breitbart.

Mr. Miller acknowledged that Facebook and Apple do not directly compete. Definers’ work on Apple is funded by a third technology company, he said, but Facebook has pushed back against Apple because Mr. Cook’s criticism upset Facebook.

If the privacy issue comes up, Facebook is happy to “muddy the waters,” Mr. Miller said over drinks at an Oakland, Calif., bar last month.

Note to Sandberg: Take your money and retire from public life. The world will be a better place without your sleazy input.

‘No Morals’: Advertisers React to Facebook Report

Quote


Several top marketers were openly critical of the tech giant, a day after The New York Times published an investigation detailing how Facebook’s top executives — Mark Zuckerberg and Sheryl Sandberg — made the company’s growth a priority while ignoring and hiding warning signs over how its data and power were being exploited to disrupt elections and spread toxic content. The article also spotlighted a lobbying campaign overseen by Ms. Sandberg, who also oversees advertising, that sought to shift public anger to Facebook’s critics and rival tech firms.

The revelations may be “the straw that breaks the camel’s back,” said Rishad Tobaccowala, chief growth officer for the Publicis Groupe, one of the world’s biggest ad companies. “Now we know Facebook will do whatever it takes to make money. They have absolutely no morals.”

Marketers have grumbled about Facebook in the past, concerned that advertisements could appear next to misinformation and hate speech on the platform. They have complained about how the company handles consumer data and how it measures ads and its user base. But those issues were not enough to outweigh the lure of Facebook’s vast audience and the company’s insistence that it was trying to address its flaws.

And after this article was published online, Mr. Tobaccowala called The New York Times to add to his comments.

“The people there do,” he said, referring to possessing morals, “but as a business, they seem to have lost their compass.”

“So far, the track record basically has been that regardless of what Facebook does, they keep getting more money,” Mr. Tobaccowala said. “The question simply is, will this make people wake up?”

Good question! The stupidity of their user base and the equal stupidity, well actually complicity of their advertisers is a disgrace. What it may take is people to boycott those companies that advertise on Facebook. Maybe in this manner, the final nails can be put into the Facebook coffin.

Facebook Tells Advertisers It Can Reach Many Young People. Too Many

Quote

Facebook faced criticism on Wednesday after an analyst pointed out that the company’s online advertising tools claim they can reach 25 million more young Americans than the United States census says exist.

The analyst, Brian Wieser at Pivotal Research, said in a note Tuesday that Facebook’s Ads Manager says it can potentially reach 41 million 18- to 24-year-olds in the United States and 60 million 25- to 34-year-olds. The catch, according to Mr. Wieser: the census counted just 31 million 18-to-24-year-olds last year and 45 million 25-to-34-year-olds.

“The buyers and marketers I talked to were unaware of this and they are using it for planning purposes,” Mr. Wieser said in an interview. “Buyers are still going to buy from them and plan for them, but this is something that doesn’t need to be an error and puts every other metric they might provide into question.”

The criticism over audience figures comes as Facebook disclosed on Wednesday that hundreds of fake accounts apparently based in Russia had purchased $100,000 worth of political advertising during the American presidential election last year; the tech firm said it had shut down the accounts.

The census figure discrepancy is likely to be a setback for Facebook with advertisers and a boon for outside measurement companies like Nielsen and ComScore, particularly as Facebook vies to make video advertising a bigger part of its business, Mr. Wieser said. Mr. Wieser is one of two analysts with a “sell” rating on Facebook shares, compared to 42 “buy” recommendations and three “hold” ratings, according to data compiled by Bloomberg.

Unethical disgusting company that deserves to be kicked to the curb. Delete your facebook account now.

Anyone who knows me will hear me whine that no one takes IT Security seriously enough. The main reason is that there is no teeth in laws that cover breaches. That leads to organizations pinching pennies. Here is an article by Bruce Schneier that lays out the case. Will I stop whining — not yet.

Quote

Bruce Schneier: You want real IoT security? Have Uncle Sam start putting boots to asses. Infosec’s cool uncle says to hell with the carrot

Any sort of lasting security standard in IoT devices may only happen if governments start doling out stiff penalties.

So said author and computer security guru Bruce Schneier, who argued during a panel discussion at the Aspen Cyber Summit this week that without regulation, there is little hope the companies hooking their products up to the internet will implement proper security protections.

“Looking at every other industry, we don’t get security unless it is done by the government,” Schneier said.

“I challenge you to find an industry in the last 100 years that has improved security without being told [to do so] by the government.”

Schneier went on to point out that, as it stands, companies have little reason to implement safeguards into their products, while consumers aren’t interested in reading up about appliance vendors’ security policies.

“I don’t think it is going to be the market,” Schneier argued. “I don’t think people are going to say I’m going to choose my refrigerator based on the number of unwanted features that are in the device.”

Schneier is not alone in his assessment either. Fellow panellist Johnson & Johnson CISO Marene Allison noted that manufacturers have nothing akin to a bill of materials for their IP stacks, so even if customers want to know how their products and data are secured, they’re left in the dark.

“Most of the stuff out there, even as a security professional, I have to ask myself, what do they mean?” Allison said.

That isn’t to say that this is simply a matter of manufacturers being careless. Even if vendors want to do right by data security, a number of logistical hurdles will arise both short and long term.

Allison and Schneier agreed that simply trying to port over the data security policies and practices from the IT sector won’t work, thanks to the dramatically different time scales that both industrial and consumer IoT appliances tend to have.

“Manufacturers do not change all the IT out every five years,” Allison noted. “You are looking at a factory having a 25- to 45-year lifespan.”

Support will also be an issue for IoT appliances, many of which go decades between replacement.

“The lifespan for consumer goods is much more than our phones and computers, this is a very different way of maintaining lifecycle,” Schneier said.

“We have no way of maintaining consumer software for 40 years.”

Ultimately, addressing the IoT security question may need to be spearheaded by the government, but, as the panelists noted, any long-term solution will require a shift in culture and perception from manufacturers, retailers and consumers.

Cyber-crooks think small biz is easy prey… – They are!

In our experience many small businesses do not take cyber security seriously. Too bad. They are an open book to most crooks.

Quote

Here’s a simple checklist to avoid becoming an easy victim
Make sure you’re spending your hard-earned cash on the ‘right’ IT security

…Today, SMBs are no longer secondary targets, and are up against exactly the same cyber-threats with the same level of sophistication as larger organizations. Criminals have evolved, the economy in which they work has become more professional, and their understanding of SMBs has moved with the times.

Traditionally, SMB cybersecurity has been a scaled-down version of the enterprise grade, adapted to suit relatively trivial networks of commodity Windows PCs, printers, LANs, servers, and software.

As times change, what are emerging threats and what should SMBs be spending on in order to stay safe if the generic, cut-down versions of old defense measures struggle to keep up?

Here’s a simple guide on issues and pitfalls for IT bods at SMBs to think about; a starting point, if you will, for further research and planning.

Targeted extortion, email weakness

The stand-out threat is the rapid rise in extortion-based attacks that are designed to force a company to pay a ransom to regain access to data, internal systems, or paid off hackers from launching crippling distributed denial-of-service attack against public web servers. According to Osterman, nearly one in five US-based SMBs reported being on the receiving end of a successful ransomware attack, with approaching one in three reporting the same for phishing.

Phishing can also be highly targeted with Business Email Compromise (BEC) – tricking employees into making payments to fraudsters using impersonation and spoofing – now another widely-reported attack. Typically, a miscreant pretends to be a supplier to fool staffers into paying invoices into the crook’s bank account. Alternatively, a hacker hijacks the corporate email account of a senior manager, or otherwise impersonates that person, and asks the finance department for sensitive employee files, such as tax forms that, when provided by a hoodwinked beancounter, can be used for identity theft.

This type of fraud has boomed in the last year, with cloud security company AppRiver reporting it had quarantined one million BEC emails in the first half of 2018, a rise of 55 per cent on the previous half year.

The easiest way to stop phishing attacks is never to receive them, which is the job of the email service provider or email service gateway. These vary widely in their capabilities, but all service providers should enforce spoofing control and email authentication, rejecting messages which don’t confirm to standards such as Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and DMARC (Domain-based Message Authentication, Reporting and Conformance). Ideally, employees should have a way of reporting suspicious emails.

We see many small businesses outsourcing their mail to gmail, yahoo, or worse, their ISP. What a disaster. Our mail server reject logs are full “reject events” from their servers. Setting up a secure mail server is not that difficult and does *NOT* have to be done on the same server as the Website Server. And it need not be expensive. There are many good options from Microsoft Cloud to spinning up a small cloud based Linux system running postfix. We are experts in setting this up. We setup DKIM, DMARC, all DNS records, and configure server to check real time online blacklists. We also provide secure mail server appliances which should always be used by companies dealing with sensitive data like medical, financial records, etc. Contact us for more info.

All backed up

An SMB’s backup routines become doubly critical to beat ransomware. Online shares and backups must be protected to stop ransomware targeting these, while offline backups are a must to act as plan B. There are numerous ways of defending valuable directories, including Windows itself such as controlled folder access as well as network-wide approaches such as VLANs. Most important of all is to test backups.

Unfortunately, ransomware doesn’t always go after data, and can be deployed to lock up entire servers running applications, knackering production systems and databases. SMB endpoint suites often include server protection which can be strengthened with careful network segmentation.

It never ceases to amaze me how many companies simply think since they have a hardware firewall, they are protected. Not true. You also need solid end point protection on all devices – workstations, servers, mobile devices, etc. ESET is one the best in our opinion. We also have several affordable back-up solutions.  Contact us for more info.

Office applications

Beyond email, office applications are often the next target. Any attachments that can be booby-trapped with malicious code that sneak through – particularly PDF and Word – should be limited by, for example, Microsoft Office’s protected view, disabling macros, and scanned for known malware. Legacy capabilities such as Object Linking and Embedding (OLE) should be disabled while powerful interfaces such as Powershell, VBScript and Jscript scripting need care and attention. If it’s not needed, chuck it.

User training is very important in this regard. Also, as previously stated, Endpoint Security helps greatly in controlling and scanning these objects.

Backdoor RDP and authentication

Another emerging target for hackers is Microsoft’s Remote Desktop Protocol (RDP), which many SMBs turn on to enable remote support. Discovering RDP ports left open to the internet isn’t hard, and all crooks need is a password to use this as a door into the average SMB – this can often be brute-forced assuming one’s even been set.

The sad part is, it’s incredibly easy not to notice that this weakness even exists because it’s not the first thing admins think about. Armed with an open RDP, attackers have effectively found a way to bypass all controls, turning off whichever processes – including the security protecting servers – they please. Game over. Configuration weaknesses are often to blame for the RDP hole and it could be mitigated in many instances by simple investment in better authentication for admin accounts, which should always enforce this security.

But let’s not forget firewalls – they’re no longer a magic shield but are great friends such as closing RDP back doors to outside access. Firewalls also lock down guest Wi-Fi networks from reaching other parts of the business, detect suspicious outgoing connections – such as malware or rogue employees exfiltrating sensitive information, and more.

Use access controls and firewalls to limit and compartmentalize your organization, so teams access only the information they need, and sensitive data cannot leave those compartments.

Anyone not using two factor authentication for remote access along with strong password management is simply being foolish. It is not expensive and there are several options including Microsoft, ESET and others. Contact us for more info.

Data theft

IT security breaches resulting in the theft of data are a perennial threat. Ten years ago, the unauthorized slurpage of customer data appeared to be something that happened only to large outfits such as US company TJX that had huge amounts of data worth stealing. Recent headlines, British Airways and Equifax, confirm this is still the case, although thieves are setting their sights lower. Verizon’s 2018 Data Breach Investigations analysis of 2,216 known data thefts found that 58 per cent of such breaches were reported at SMBs.

While rogue insiders are a legit security threat IT managers should be on the look out for, the exploitation of vulnerabilities in software lies at the root of many successful cyber attacks. The scale of the challenge in defending against hackers leveraging buggy code can be seen in figures from CVE Details, which reported 14,600 vulnerabilities in 2017, excluding zero days, up from 6,447 in 2016.

You shouldn’t read too much from CVE-labeled bug totals – more flaws found may well mean we’re getting better at finding and fixing them – although it does mean there’s more patching to do before exploits are developed and used in the wild.

SMBs lacking dedicated in-house security personnel need to automate patch management as much as possible. The first trick is to reduce the amount of software that needs patching in the first place by removing old applications and plugins such as Flash and Java and standardising on one browser and office suite. Service providers will do some of the patching job while endpoint security suites will usually now have a module for managing more specialised needs.
Data security

The struggle small organisations have in securing sensitive data is often tied to the difficulty in properly and competently using encryption. Many SMBs end up with a patchwork of systems, and varying levels of protection. It’s too easy to make a mistake, and leave chunks of information unprotected. The logical solution is to use a single product that can be controlled centrally, but as with authentication finding a system built for SMB use can be a challenge.

Encrypting outward email is becoming more popular but may not be practical for all SMBs. Encrypting files when at rest is, however, a must. Every portable device should be encrypted while Microsoft’s BitLocker can be used for local file security on Windows PCs.

ESET offers an excellent, easily managed whole disk encryption. Contact us for more info.

Watch the cloud

SMBs are increasingly using cloud services for data storage and applications, indeed this might one day soon become the main place much of their IT systems reside. Arguably, this should boost security because it will rationalise many of the problems already mentioned into a series of security processes under one or a small number of services. Most SMBs are not yet ready to trust cloud platforms with their crown jewels, but when they do, it could potentially improve their security simply because it will make it easier to manage.

The cybersecurity challenge for SMBs has always been that they must cope with the same security threats as larger companies but without the same level of resources. Cybercriminals know this, which is why – in a sense – SMB-specific campaigns are always a form of social engineering that exploits pressure points, such as a lack of understanding, time, and weak processes.

Irrespective of size, there’s not always a single failure that explains why these keep happening so much as a collection of weaknesses covering patching, data controls and encryption, cloud security, authentication, privilege management, as well as the difficulty of defending email systems.

Lacking resources to throw at a cyber-incident, the rules for every SMB are clear: simplify the IT estate as much as possible, clear out unwanted software, layers of access controls, and choose a good partner to help with the tricky details as insurance against the day when the cybercriminals come knocking with a crowbar.

In conclusion, it is long past the time for SMBs to get serious about security. It does not need to be expensive. We can help on all these items and more. Contact us for more info.